CN108390870B - Method, device, storage medium and equipment for defending network attack - Google Patents

Method, device, storage medium and equipment for defending network attack Download PDF

Info

Publication number
CN108390870B
CN108390870B CN201810135581.8A CN201810135581A CN108390870B CN 108390870 B CN108390870 B CN 108390870B CN 201810135581 A CN201810135581 A CN 201810135581A CN 108390870 B CN108390870 B CN 108390870B
Authority
CN
China
Prior art keywords
rate
packet
source
source address
packet rate
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810135581.8A
Other languages
Chinese (zh)
Other versions
CN108390870A (en
Inventor
娄扬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN201810135581.8A priority Critical patent/CN108390870B/en
Publication of CN108390870A publication Critical patent/CN108390870A/en
Application granted granted Critical
Publication of CN108390870B publication Critical patent/CN108390870B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • H04L43/0894Packet rate
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method, a device, a storage medium and equipment for defending network attack, comprising the following steps: acquiring packet rates of network messages from various source addresses; periodically counting the packet rate distribution of the network messages of each source address; and determining a rate threshold according to the packet rate distribution, and defending a source address of which the packet rate exceeds the rate threshold. The invention improves the operability of the speed threshold value set in the network attack defense process for judging the source address, preferentially processes the source address with high flow in the circulating voting process, continuously reduces the speed threshold value, improves the efficiency of inhibiting malicious network attacks, can dynamically adjust the flow judgment threshold value according to the change of the network flow, increases the adaptivity of the speed threshold value setting, and also provides a statistical table for an administrator, which can visually display the flow condition in the attack.

Description

Method, device, storage medium and equipment for defending network attack
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method, an apparatus, a storage medium, and a device for defending against network attacks.
Background
Due to the rapid development of the internet and the mobile internet, various malicious network attacks are more and more frequent and serious, wherein the most representative is distributed denial of service attack (DDos attack), which is a malicious network attack behavior that one or more attackers control a large number of computer terminal devices as attack sources and send a large amount of data to a certain target server at the same time, and finally the target server is paralyzed or other normal users cannot use the service. Prevention of DDos attacks is an important requirement for internet security.
In view of the above requirements, in the prior art, a service provider mainly deploys a DDos device to protect a server, and protects normal traffic of a normal user from being affected by source authentication and current limiting. Specifically, the source authentication is to detect whether the source address is a real normal user, and generally, the source authentication is determined by detecting whether the source address can complete handshake of a tcp (transmission control protocol), making a correct response to a command word of http, and whether the user can input a verification code or not; the flow limitation means that the flow of each source address is limited within a reasonable range, and the source address generating the attack is prevented from occupying excessive server resources. There are two common approaches to source authentication and current limiting:
the first prior art is as follows: performing source authentication and current limitation on all source ips;
the second prior art is: performing source authentication and current limitation on the source ip with the flow exceeding a preset source threshold value;
the defects of the prior art I are as follows: some active authentication methods may have a certain influence on the use of the user, such as closing a tcp connection that is just established by the user; some source authentication methods may not be supported by some normal user clients, such as input of verification codes; in general, most source addresses are addresses of normal users, and normal traffic with reasonable size is generated by the source addresses, in the prior art, source authentication and current limitation are performed on all source ip, most means of the method are applied to the normal users, and resource waste and influence on normal services are caused.
The defects of the prior art II are as follows: in the prior art, source authentication and flow limitation are carried out on two pairs of source ip with flow exceeding a preset source threshold value, and because network flow is dynamic and constantly changing data, an administrator is difficult to set a proper source threshold value to distinguish an attack source from a normal source. If set higher, this may result in insufficient coverage of defense; if the setting ratio is lower, the effect of reducing the defense influence surface is not achieved. The operability is poor.
Disclosure of Invention
The invention provides a method, a device, a storage medium and equipment for defending against network attacks, which are used for solving the problem that the flow judgment threshold value cannot be dynamically and adaptively adjusted in the prior art.
According to an aspect of the present invention, there is provided a method of defending against cyber attacks, including:
acquiring packet rates of network messages from various source addresses;
periodically counting the packet rate distribution of the network messages of each source address;
and determining a rate threshold according to the packet rate distribution, and defending a source address of which the packet rate exceeds the rate threshold.
Optionally, before the periodically counting packet rate distribution of the network packet of each source address, the method includes:
and acquiring a pre-constructed voting statistical table according to the packet rate, wherein the voting statistical table is provided with a rate item for describing the packet rate distribution condition of the source address.
Optionally, the periodically counting packet rate distribution of the network packet of each source address includes:
determining the average packet rate of the network message of each source address in the current time interval at intervals of a preset time interval;
and counting the number of the source addresses corresponding to the average packet rate under each rate item of the voting counting table according to the rate item to which the average packet rate belongs.
Optionally, the rate term is a rate range described by a lower rate value and an upper rate value.
Optionally, the determining a rate threshold according to the packet rate distribution includes:
according to the magnitude of the speed value in the speed item, accumulating the number of the source addresses counted under each speed item in the voting counting table from high to low in sequence;
and when the number of the source addresses is accumulated to the number of the preset source addresses, setting the lower limit speed value of the speed item accumulated last time as the speed threshold value.
Optionally, the method further includes:
the source address of which the packet rate exceeds the rate threshold is defended within the next time interval of determining the rate threshold according to the packet rate distribution;
counting the number of the source addresses of which the packet rate does not exceed the rate threshold in the voting statistic table.
Optionally, the defending the source address of which the packet rate exceeds the rate threshold includes:
performing source authentication on a source address of which the packet rate exceeds the rate threshold; and/or
And carrying out source flow limitation on the source address of which the packet rate exceeds the rate threshold.
According to a second aspect of the present invention, there is provided an apparatus for defending against cyber attacks, comprising:
the acquisition module is used for acquiring the packet rate of the network message from each source address;
the statistic module is used for regularly counting the packet rate distribution of the network messages of each source address;
and the defense module is used for determining a rate threshold according to the packet rate distribution and defending the source address of which the packet rate exceeds the rate threshold.
According to a third aspect of the present invention, there is provided a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the method of:
acquiring packet rates of network messages from various source addresses;
periodically counting the packet rate distribution of the network messages of each source address;
and determining a rate threshold according to the packet rate distribution, and defending a source address of which the packet rate exceeds the rate threshold.
According to a fourth aspect of the present invention, there is provided an apparatus for defending against cyber attacks, comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the steps of the method when executing the program:
acquiring packet rates of network messages from various source addresses;
periodically counting the packet rate distribution of the network messages of each source address;
and determining a rate threshold according to the packet rate distribution, and defending a source address of which the packet rate exceeds the rate threshold.
The invention has the beneficial effects that:
the invention improves the operability of the speed threshold value set in the network attack defense process for judging the source address, preferentially processes the source address with high flow in the circulating voting process, continuously reduces the speed threshold value, improves the efficiency of inhibiting malicious network attacks, can dynamically adjust the flow judgment threshold value according to the change of the network flow, increases the adaptivity of the speed threshold value setting, and also provides a statistical table for an administrator, which can visually display the flow condition in the attack.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
FIG. 1 is a flow chart of a method for defending against network attacks in one embodiment of the invention;
fig. 2 is a flowchart of the periodic statistics of the packet rate distribution of the network packets of each source address according to an embodiment of the present invention;
FIG. 3 is a flow chart of determining a rate threshold in one embodiment of the present invention;
FIG. 4 is a flow diagram of a method for defending against network attacks after a rate threshold is determined in one embodiment of the invention;
fig. 5 is a schematic diagram of an apparatus for defending against network attacks according to an embodiment of the present invention.
In the figure: 10-an obtaining module, 20-a counting module, 201-a determining module, 202-a voting counting module, 30-a defense module, 301-an accumulating module, 302-a setting module and 303-a data clearing module.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
Referring to fig. 1-4, in a first embodiment of the present invention, a method for defending against a network attack is provided, including:
step S11: acquiring packet rates of network messages from various source addresses;
step S12: periodically counting the packet rate distribution of the network messages of each source address;
step S13: and determining a rate threshold according to the packet rate distribution, and defending a source address of which the packet rate exceeds the rate threshold. Please refer to fig. 1.
Optionally, before the periodically counting packet rate distribution of the network packet of each source address, the method includes:
and acquiring a pre-constructed voting statistical table according to the packet rate, wherein the voting statistical table is provided with a rate item for describing the packet rate distribution condition of the source address. That is, in the voting statistic table, the packet rates of the network packets from the respective source addresses are counted under which rate items, and under each rate item, the packet rates of the network packets corresponding to how many source addresses are counted.
Optionally, referring to fig. 2, the periodically counting the packet rate distribution of the network packet of each source address includes:
step S121: determining the average packet rate of the network message of each source address in the current time interval at intervals of a preset time interval;
step S122: and counting the number of the source addresses corresponding to the average packet rate under each rate item of the voting counting table according to the rate item to which the average packet rate belongs.
That is, at preset time intervals, the number of source addresses is cyclically voted and counted in a voting statistical table, each rate item in the voting statistical table represents a rate range represented by a lower rate value and an upper rate value, and if the average packet rate of a network packet from a source address falls within a corresponding rate range, 1 is added to the count value of the rate item corresponding to the rate range in a voting manner, so as to count the number of source addresses of which the average packet rates belong to the corresponding rate ranges.
Optionally, the rate term is a rate range described by a lower rate value and an upper rate value.
Optionally, referring to fig. 3, the determining a rate threshold according to the packet rate distribution includes:
step S131: according to the magnitude of the speed value in the speed item, accumulating the number of the source addresses counted under each speed item in the voting counting table from high to low in sequence;
step S132: when the number of the source addresses is accumulated to a preset number of source addresses, setting a lower limit speed value of the last accumulated speed item as the speed threshold;
step S133: and emptying the voting statistical table. So that the attack traffic and the normal traffic are counted in the voting statistical table in the process of defending the network attack after the rate threshold value is determined.
Optionally, referring to fig. 4, the method further includes:
step S21: the source address of which the packet rate exceeds the rate threshold is defended within the next time interval of determining the rate threshold according to the packet rate distribution;
step S22: counting the number of the source addresses of which the packet rate does not exceed the rate threshold in the voting statistic table. The voting statistical table at this time is the emptied voting statistical table, so that traffic distribution can be better counted in the defense process, and an administrator can more intuitively view traffic distribution of an unvarnished source address (hereinafter referred to as an unvarnished source).
Meanwhile, in step S22, preferably, in order to meet the requirement of the administrator for viewing the traffic distribution of the defended source address (hereinafter, the defended source), the embodiment of the present invention further performs statistics on the number of the source addresses whose packet rates exceed the rate threshold in the emptied voting statistics table. Preferably, in order to enable the defended source and the defended source to be displayed more intuitively, the voting statistic table is set into two columns (it should be noted that, a person skilled in the art may appropriately adjust the number of columns set in the voting statistic table according to an actual application situation, for example, only one column is used to perform statistics on the defended source address, the embodiment of the present invention does not make a unique limitation on the number of columns), and after the emptied voting statistic table, the number of source addresses whose packet rates do not exceed the rate threshold is counted in a specified column, and then the number of source addresses whose packet rates exceed the rate threshold is counted in another column. And after the packet rate of the network message which is received by the server and attacked is controlled to be below a preset detection threshold value, pausing voting until a new network attack occurs.
Optionally, the defending the source address of which the packet rate exceeds the rate threshold includes:
performing source authentication on a source address of which the packet rate exceeds the rate threshold; and/or
And carrying out source flow limitation on the source address of which the packet rate exceeds the rate threshold.
Obviously, in the embodiment of the present invention, the source address of the attack server is subjected to the cyclic voting statistics every a preset time interval, and then the rate threshold is continuously and dynamically adjusted according to the number of the preset source addresses until the rate threshold is reduced to the preset detection threshold, that is, the rate threshold can be continuously adjusted according to the change of the network traffic, so that the defense measures can be accurately taken for the attack source, the use of normal users is ensured, the resource waste and the influence on normal services are not caused, and the operability is strong.
Referring to fig. 5, in a second embodiment of the present invention, an apparatus for defending against a network attack is provided, including:
an obtaining module 10, configured to obtain packet rates of network packets from each source address;
a statistic module 20, configured to periodically count packet rate distribution of the network packets of each source address;
and the defense module 30 is configured to determine a rate threshold according to the packet rate distribution, and defend a source address of which the packet rate exceeds the rate threshold.
Optionally, the obtaining module 10 is further configured to obtain a pre-constructed voting statistical table according to the packet rate before periodically counting the packet rate distribution of the network packet of each source address, where the voting statistical table is provided with a rate item describing a packet rate distribution condition of the source address. The rate terms are a range of rates described by a lower rate value and an upper rate value, e.g., dk to ek are one rate term, each rate term being of an integer type, where dk is the upper rate value and ek is the lower rate value, and dk < ek.
Optionally, the statistic module 20 includes:
a determining module 201, configured to determine, every preset time interval, an average packet rate of the network packet of each source address in a current time interval;
a voting statistic module 202, configured to count, according to a rate entry to which the average packet rate belongs, the number of the source addresses corresponding to the average packet rate under each rate entry of the voting statistic table. It is known that each rate item (e.g., dk to ek) in the voting statistic table represents a rate range represented by a lower rate limit value and an upper rate limit value, and if the average packet rate value of the network packet from a source address in the current preset time interval falls within the corresponding rate range-dk to ek, the count value of the rate item in the rate range in the voting manner is added with 1, which indicates that the average packet rate with a source address falls within the rate items dk to ek, thereby counting the number of source addresses of which the average packet rates belong to the corresponding rate ranges.
Optionally, the defense module 30 includes:
an accumulation module 301, configured to accumulate, sequentially from high to low, the number of the source addresses counted under each rate item in the voting statistics table according to the magnitude of the rate value in the rate item.
A setting module 302, configured to set a lower rate value of the rate term accumulated last time as the rate threshold when the number of the source addresses is accumulated to a preset number of source addresses. Therefore, operability of judging the source address by setting the speed threshold in the defense process is improved, the high-flow source address is processed preferentially, the speed threshold is reduced continuously, malicious attack inhibiting efficiency is improved, and adaptability of speed threshold setting is improved.
And a data clearing module 303, configured to clear the voting statistics table. After the rate threshold is determined, the voting of the source address corresponding to the packet rate is counted conveniently in the next round of voting statistics on the source address.
In the device for defending against network attacks according to the embodiment of the present invention, in the next time interval in which the rate threshold is determined according to the packet rate distribution, the defense module 30 defends the source address whose packet rate exceeds the rate threshold, that is, preferentially processes the source address with high traffic, and in the defense process, the voting statistical module of the statistical module 20 performs statistics on the number of the source addresses whose packet rate does not exceed the rate threshold in the voting statistical table, so as to facilitate a manager to view the traffic distribution situation of the non-defended source, and in order to better analyze the characteristics of the attacks, to view the traffic distributions of the defended source and the non-defended source at the same time. Specifically, the number of the source addresses whose packet rates exceed the rate threshold and the number of the source addresses whose packet rates do not exceed the rate threshold may be separately counted, for example, after votes for the source addresses whose packet rates do not exceed the rate threshold are calculated into one column specified in the vote counting table, votes for the source addresses exceeding the rate threshold are calculated into another column of the vote counting table, so that after a defense means is started, an administrator can more intuitively view traffic distribution conditions of a defended source and an defended source, and analysis of attack characteristics is facilitated.
Preferably, the defense means of the defense module 30 according to the embodiment of the present invention for defending the source address whose packet rate exceeds the rate threshold includes:
performing source authentication on a source address of which the packet rate exceeds a rate threshold; and/or
Source throttling source addresses whose packet rates exceed a rate threshold.
Whether source authentication or source throttling is adopted is selected by an administrator according to actual application situations.
In a third embodiment of the present invention, please refer to fig. 1, a computer readable storage medium is provided, on which a computer program is stored, which when executed by a processor implements the steps of the method:
step S11: acquiring packet rates of network messages from various source addresses;
step S12: periodically counting the packet rate distribution of the network messages of each source address;
step S13: and determining a rate threshold according to the packet rate distribution, and defending a source address of which the packet rate exceeds the rate threshold.
Optionally, before the packet rate distribution of the network packet of each source address is periodically counted, the program, when executed by the processor, implements the following steps:
and acquiring a pre-constructed voting statistical table according to the packet rate, wherein the voting statistical table is provided with a rate item for describing the packet rate distribution condition of the source address. The rate term is a range of rates described by a lower rate value and an upper rate value.
Optionally, referring to fig. 2, the periodically counting packet rate distribution of the network packet of each source address, when executed by the processor, implement the following steps of:
step S121: determining the average packet rate of the network message of each source address in the current time interval at intervals of a preset time interval;
step S122: and counting the number of the source addresses corresponding to the average packet rate under each rate item of the voting counting table according to the rate item to which the average packet rate belongs.
Optionally, referring to fig. 3, when the rate threshold is determined according to the packet rate distribution, the program implements the following steps of the method when executed by a processor:
step S131: according to the magnitude of the speed value in the speed item, accumulating the number of the source addresses counted under each speed item in the voting counting table from high to low in sequence;
step S132: when the number of the source addresses is accumulated to a preset number of source addresses, setting a lower limit speed value of the last accumulated speed item as the speed threshold;
step S133: and emptying the voting statistical table.
Optionally, referring to fig. 4, when executed by the processor, the program further implements the following method steps:
step S21: the source address of which the packet rate exceeds the rate threshold is defended within the next time interval of determining the rate threshold according to the packet rate distribution;
step S22: counting the number of the source addresses of which the packet rate does not exceed the rate threshold in the voting statistic table. The voting statistical table at this time is the emptied voting statistical table, so as to better count the traffic distribution in the defense process.
Optionally, in step S22, when executed by the processor, the program further implements the following method steps:
and counting the number of the source addresses of which the packet rate exceeds the rate threshold in the emptied voting statistic table. So that the administrator can view the traffic distribution of the defended source while viewing the traffic distribution of the non-defended source.
Optionally, the defending against the source address where the packet rate exceeds the rate threshold, when executed by the processor, performs the following method steps:
performing source authentication on a source address of which the packet rate exceeds the rate threshold; and/or
And carrying out source flow limitation on the source address of which the packet rate exceeds the rate threshold.
In a fourth embodiment of the present invention, please refer to fig. 1, an apparatus for defending against network attacks is provided, which includes a memory, a processor, and a computer program stored on the memory and operable on the processor, and when the processor executes the program, the processor implements the steps of the following method:
step S11: acquiring packet rates of network messages from various source addresses;
step S12: periodically counting the packet rate distribution of the network messages of each source address;
step S13: and determining a rate threshold according to the packet rate distribution, and defending a source address of which the packet rate exceeds the rate threshold.
Optionally, before the packet rate distribution of the network packet of each source address is periodically counted, the processor implements the following steps when executing the program:
and acquiring a pre-constructed voting statistical table according to the packet rate, wherein the voting statistical table is provided with a rate item for describing the packet rate distribution condition of the source address. The rate term is a range of rates described by a lower rate value and an upper rate value.
Optionally, referring to fig. 2, the packet rate distribution of the network packet of each source address is periodically counted, and the processor implements the following steps when executing the program:
step S121: determining the average packet rate of the network message of each source address in the current time interval at intervals of a preset time interval;
step S122: and counting the number of the source addresses corresponding to the average packet rate under each rate item of the voting counting table according to the rate item to which the average packet rate belongs.
Optionally, referring to fig. 3, when the processor executes the program to determine the rate threshold according to the packet rate distribution, the following method steps are implemented:
step S131: according to the magnitude of the speed value in the speed item, accumulating the number of the source addresses counted under each speed item in the voting counting table from high to low in sequence;
step S132: when the number of the source addresses is accumulated to a preset number of source addresses, setting a lower limit speed value of the last accumulated speed item as the speed threshold;
step S133: and emptying the voting statistical table.
Optionally, referring to fig. 4, when the processor executes the program, the following method steps are further implemented:
step S21: the source address of which the packet rate exceeds the rate threshold is defended within the next time interval of determining the rate threshold according to the packet rate distribution;
step S22: counting the number of the source addresses of which the packet rate does not exceed the rate threshold in the voting statistic table. So that the administrator views the traffic distribution of the defensive source.
Optionally, in step S22, when executed by the processor, the program further implements the following method steps:
and counting the number of the source addresses of which the packet rate exceeds the rate threshold in the emptied voting statistic table. So that the administrator can view the traffic distribution of the defended source while viewing the traffic distribution of the non-defended source.
In order to make the technical solution of the present invention clearer, the method for defending against network attacks in the fifth embodiment of the present invention is further described with reference to specific application scenarios.
The DDos attack refers to a malicious network attack behavior that one or more attackers control a large number of computer terminal devices as an attack source and send a large amount of data to a certain target server at the same time, so that the target server is paralyzed or other normal users cannot use services.
First, in the embodiment of the present invention, a preset time interval is denoted by a letter M, where M may be set to 1 to 10 seconds, and packet rate distribution is counted every M seconds, and then, a two-dimensional voting statistic table is allocated, as shown in table 1:
TABLE 1 vote statistics Table
First row Second column
ek or more ek or more
dk to ek dk to ek
ck to dk ck to dk
bk to ck bk to ck
ak to bk ak to bk
0 to ak 0 to ak
Each row in table 1 represents a rate range, dk, ek, ck, bk, ak respectively represent a rate value, the rate values in each column are sequentially arranged from top to bottom and from left to right, each item in the table, such as dk to ek, is a rate item for statistically recording the number of source addresses of which the packet rates belong to the corresponding rate range, wherein, before the rate threshold is determined, a first column is used for performing statistics on the source addresses of all packet rates, after the rate threshold is determined, the first column is used for performing statistics on the source addresses of which the packet rates do not exceed the rate threshold, and a second column is used for performing statistics on the source addresses of which the packet rates exceed the rate threshold, namely, the first column shows the rate statistics on the source addresses of which no defensive measure is taken, the second column shows the rate statistics on the source addresses of which defensive measure is taken, and it is pointed out that, the statistics on the rate of the source addresses of which defensive measure in the second column is taken is for providing a reference for an analysis manager, the method and the device can visually check and analyze the traffic distribution conditions of the non-defended source and the defended source, and are convenient for analyzing the characteristics of network attacks.
After detecting that DDos attack occurs, the server acquires the packet rate of the network message from each source address in DDos attack, periodically counts the packet rate distribution of the network message of each source address, determines a rate threshold according to the packet rate distribution, and defends the source address of which the packet rate exceeds the rate threshold every time until the flow of the protected server is reduced to a normal level. For a specific defense process, see the following steps:
1. when the server detects that DDos attack (flow triggers a preset detection threshold) occurs, distributing an acquired two-dimensional voting statistical table according to the packet rate received by the server, and voting and counting the source addresses of all attack sources to the attacked server every M seconds.
2. Voting is carried out on each source address every M seconds, the average packet rate of the network message of each source address in the current M seconds is calculated, and 1 is added to the count value under the rate item in which each average packet rate falls so as to count the number of the source addresses in each rate range in the attack process.
3. Analyzing the first column of the voting statistical table every M seconds, and sequentially accumulating the number of the source addresses counted under each rate item in the first column of the voting statistical table from high to low according to the magnitude of the rate value in the rate item; if n source addresses are all going to the attacked server within M seconds, where n is a positive integer, the preferred embodiment of the present invention sets the number of preset source addresses to n × 20%, where the number of preset source addresses is not uniquely limited, and when the number of source addresses is accumulated to n × 20%, the lower rate value of the last accumulation rate term is set as the rate threshold, and then the voting statistical table is cleared, that is, the first column of the voting statistical table is cleared, so as to facilitate statistics of the number of source addresses in the next M seconds.
4. And processing the network messages in the DDos attack in the time period by using the determined rate threshold value in the next M seconds after the rate threshold value is determined, and performing source authentication and/or source current limiting and other defense means on the source address corresponding to each network message if the packet rate of the network messages exceeds the rate threshold value.
5. In the next round of voting statistics of each source address, the votes of the source addresses with the packet rate exceeding the rate threshold are calculated into the second column of the voting statistic table, and the votes of the source addresses with the packet rate not exceeding the rate threshold are calculated into the first column of the voting statistic table, so that an administrator can visually check the flow distribution of the defended source and the defended source.
6. After the packet rate of the network message destined for the server is controlled below a preset detection threshold, the voting is suspended.
In addition, an interface for viewing the voting statistical table can be provided on a terminal interface or a command line, and the traffic distribution situation about the DDos attack can be viewed without opening any defense means. After the defense means is started, the flow distribution conditions of the defended source address and the non-defended source address in the DDos attack process can be checked, and the characteristics of the attack can be conveniently analyzed.
Obviously, the operability of the speed threshold value set in the network attack defense process on source address judgment is improved, the high-flow source address can be preferentially processed in the circulating voting process, the speed threshold value is continuously reduced, the efficiency of inhibiting malicious network attacks is improved, the flow judgment threshold value can be dynamically adjusted according to the change of the network flow, the adaptability of the speed threshold value setting is improved, and a statistical table capable of visually showing the flow condition in the attack process is provided for an administrator.
Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by associated hardware instructed by a program, which may be stored in a computer-readable storage medium, and the storage medium may include: ROM, RAM, magnetic or optical disks, and the like.
In short, the above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (7)

1. A method of defending against cyber attacks, comprising:
acquiring packet rates of network messages from various source addresses;
periodically counting the packet rate distribution of the network messages of each source address;
determining a rate threshold according to the packet rate distribution, and defending a source address of which the packet rate exceeds the rate threshold;
the periodically counting the packet rate distribution of the network messages of each source address comprises:
determining the average packet rate of the network message of each source address in the current time interval at intervals of a preset time interval; according to the rate item to which the average packet rate belongs, counting the number of the source addresses corresponding to the average packet rate under each rate item of a voting counting table;
the determining a rate threshold from the packet rate distribution comprises:
according to the magnitude of the speed value in the speed item, accumulating the number of the source addresses counted under each speed item in the voting counting table from high to low in sequence; when the number of the source addresses is accumulated to a preset number of source addresses, setting a lower limit speed value of the last accumulated speed item as the speed threshold;
the method further comprises the following steps:
determining a next time interval of a rate threshold according to the packet rate distribution, and defending a source address of which the packet rate exceeds the rate threshold;
counting the number of the source addresses of which the packet rate does not exceed the rate threshold in the voting statistic table.
2. The method for defending against network attacks according to claim 1, wherein before periodically counting the packet rate distribution of the network packets of each source address, the method comprises:
and acquiring a pre-constructed voting statistical table according to the packet rate, wherein the voting statistical table is provided with a rate item for describing the packet rate distribution condition of the source address.
3. The method of defending against network attacks of claim 2, wherein the rate term is a range of rates described by a lower rate value and an upper rate value.
4. The method of defending against network attacks of claim 1, wherein the defending against the source address where the packet rate exceeds the rate threshold comprises:
performing source authentication on a source address of which the packet rate exceeds the rate threshold; and/or
And carrying out source flow limitation on the source address of which the packet rate exceeds the rate threshold.
5. An apparatus for defending against cyber attacks, comprising:
the acquisition module is used for acquiring the packet rate of the network message from each source address;
a statistic module, configured to periodically count packet rate distribution of the network packets of each source address, where the periodically counting packet rate distribution of the network packets of each source address includes: determining the average packet rate of the network message of each source address in the current time interval at intervals of a preset time interval; counting the number of the source addresses corresponding to the average packet rate under each rate item of a voting counting table according to the rate item to which the average packet rate belongs, and defending the source addresses of which the packet rates exceed the rate threshold within the next time interval of determining the rate threshold according to the packet rate distribution; counting the number of the source addresses of which the packet rate does not exceed the rate threshold in the voting statistic table;
a defending module, configured to determine a rate threshold according to the packet rate distribution, and defend a source address where the packet rate exceeds the rate threshold, where the determining a rate threshold according to the packet rate distribution includes: according to the magnitude of the speed value in the speed item, accumulating the number of the source addresses counted under each speed item in the voting counting table from high to low in sequence; and when the number of the source addresses is accumulated to the number of the preset source addresses, setting the lower limit speed value of the speed item accumulated last time as the speed threshold value.
6. A computer-readable storage medium, characterized in that the storage medium has stored thereon a computer program which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 4.
7. An apparatus for defending against cyber attacks, comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the steps of the method of any one of claims 1 to 4 when executing the program.
CN201810135581.8A 2018-02-09 2018-02-09 Method, device, storage medium and equipment for defending network attack Active CN108390870B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810135581.8A CN108390870B (en) 2018-02-09 2018-02-09 Method, device, storage medium and equipment for defending network attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810135581.8A CN108390870B (en) 2018-02-09 2018-02-09 Method, device, storage medium and equipment for defending network attack

Publications (2)

Publication Number Publication Date
CN108390870A CN108390870A (en) 2018-08-10
CN108390870B true CN108390870B (en) 2021-07-20

Family

ID=63075684

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810135581.8A Active CN108390870B (en) 2018-02-09 2018-02-09 Method, device, storage medium and equipment for defending network attack

Country Status (1)

Country Link
CN (1) CN108390870B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109905361A (en) * 2019-01-08 2019-06-18 深圳大学 Internet of Things ddos attack defence method, device, system and storage medium
CN110602096B (en) * 2019-09-12 2021-07-13 腾讯科技(深圳)有限公司 Data processing method, device, storage medium and equipment in block chain network
CN112769791A (en) * 2020-12-30 2021-05-07 北京天融信网络安全技术有限公司 Network defense method and device
CN113179247B (en) * 2021-03-23 2023-05-23 杭州安恒信息技术股份有限公司 Denial of service attack protection method, electronic device and storage medium
CN114095224B (en) * 2021-11-12 2024-06-14 湖北天融信网络安全技术有限公司 Message detection method, device, electronic equipment and storage medium
CN115225393B (en) * 2022-07-20 2023-09-26 北京天融信网络安全技术有限公司 Source speed limiting method and device and electronic equipment
CN115242551B (en) * 2022-09-21 2022-12-06 北京中科网威信息技术有限公司 Slow attack defense method and device, electronic equipment and storage medium

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105357228A (en) * 2015-12-19 2016-02-24 中国人民解放军信息工程大学 Burst traffic detection method based on dynamic threshold

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8248946B2 (en) * 2006-06-06 2012-08-21 Polytechnic Institute of New York Unversity Providing a high-speed defense against distributed denial of service (DDoS) attacks
CN101572701B (en) * 2009-02-10 2013-11-20 中科信息安全共性技术国家工程研究中心有限公司 Security gateway system for resisting DDoS attack for DNS service
CN102882895A (en) * 2012-10-31 2013-01-16 杭州迪普科技有限公司 Method and device for identifying message attack
CN105610851B (en) * 2016-01-14 2018-11-09 北京乐动卓越科技有限公司 The method and system of defending distributed denial of service attack
CN106411947B (en) * 2016-11-24 2019-07-09 广州华多网络科技有限公司 A kind of real time threshold adaptive flow method for early warning and device

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105357228A (en) * 2015-12-19 2016-02-24 中国人民解放军信息工程大学 Burst traffic detection method based on dynamic threshold

Also Published As

Publication number Publication date
CN108390870A (en) 2018-08-10

Similar Documents

Publication Publication Date Title
CN108390870B (en) Method, device, storage medium and equipment for defending network attack
CN109951500B (en) Network attack detection method and device
CN107819727B (en) Network security protection method and system based on IP address security credit
AU2011305214B2 (en) IP prioritization and scoring system for DDoS detection and mitigation
US10476897B2 (en) Method and apparatus for improving network security
CN105577608B (en) Network attack behavior detection method and device
US8489755B2 (en) Technique of detecting denial of service attacks
US20100138919A1 (en) System and process for detecting anomalous network traffic
US8144603B2 (en) Apparatuses and methods for detecting anomalous event in network
CN109922072B (en) Distributed denial of service attack detection method and device
CN109495521B (en) Abnormal flow detection method and device
US10951649B2 (en) Statistical automatic detection of malicious packets in DDoS attacks using an encoding scheme associated with payload content
EP2672676A1 (en) Methods and systems for statistical aberrant behavior detection of time-series data
CN104135474A (en) Network anomaly behavior detection method based on out-degree and in-degree of host
CN111092900A (en) Method and device for monitoring abnormal connection and scanning behavior of server
CN105282152A (en) Abnormal flow detection method
CN105656843B (en) Application layer protection method and device based on verification and network equipment
Du et al. Detecting DoS attacks using packet size distribution
CN109413022B (en) Method and device for detecting HTTP FLOOD attack based on user behavior
Mezzour et al. Global mapping of cyber attacks
CN111478860A (en) Network control method, device, equipment and machine readable storage medium
JP2005011234A (en) Illegal access detection device, illegal access detection method and program
KR101576993B1 (en) Method and System for preventing Login ID theft using captcha
CN109246157A (en) A kind of HTTP requests at a slow speed the association detection method of dos attack
CN109617925B (en) Method and system for protecting network attack and setting interval mark

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant